Tenable Enclave Security Helm Charts
Tenable Enclave Security leverages the Helm open-source package manager. When you install, configure, or upgrade Tenable Enclave Security, use this Helm Chart.
To download the Helm Chart for Tenable Enclave Security, go to https://github.com/tenable/helm-charts.
Helm Chart
| Helm Chart | Description |
|---|---|
|
tes-operator |
Configures the namespace, persistent volume claim, and StatefulSet Pods to pull images from container registries. |
Note: Tenable Enclave Security does not support changing any values besides the ones listed here.
Specify CPU and Memory Requests and Limits
The following example is for an environment with 10,000 active IPs. For sizing requirements specific to your needs, see System Requirements.
tes:
blades:
securitycenter:
resources:
limits:
cpu: 4000m
memory: 8Gi
requests:
cpu: 2000m
memory: 8Gi
container-security:
tes-consec-api:
resources:
requests:
memory: "3Gi"
cpu: "2"
limits:
memory: "6Gi"
cpu: "4"
tes-consec-scan:
resources:
requests:
memory: "5Gi"
cpu: "2"
limits:
memory: "10Gi"
cpu: "4"
tes-consec-policy:
resources:
requests:
memory: "2Gi"
cpu: "2"
limits:
memory: "6Gi"
cpu: "4"
tes-consec-tvdl:
resources:
requests:
memory: "10Gi"
cpu: "2"
limits:
memory: "15Gi"
cpu: "4"Specify Disk Space
persistentVolumeClaim:
size: 900GiSpecify Service Annotations (Optional)
If you are using Kubernetes in a hosted environment and your provider (for example, AWS) supports it, use the following annotation to restrict access to the created load balancer.
service:
annotations:
service.beta.kubernetes.io/load-balancer-source-ranges: "<IP Range>"Specify Node Affinity (Optional)
Tenable Enclave Security requires an amd64 node. If you are using Kubernetes in an environment with multiple available node types, or that requires a node affinity policy, you can add the policy to values.yaml. The following is an example policy for Karpenter in AWS and EKS.
tes:
blades:
global:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- key: karpenter.sh/capacity-type
operator: In
values:
- on-demand
Disable cert-manager CSI Driver (Optional)
Tenable Enclave Security recommends using the cert-manager CSI driver for provisioning certificates used by its services for mTLS. However, if the CSI driver cannot be installed on your cluster, you can disable it by specifying the following configuration. This will use cert-manager certificate resources to provision certificates into a secret that will be consumed by respective services:
tes:
blades:
global:
disableCertManagerCsiDriver: trueSpecify PVC Size (Optional)
You can use the following option to adjust the PVC size for the services.
tes:
blades:
securitycenter:
persistentVolumeClaim:
size: {size}
container-security:
tes-consec-scan:
persistentVolumeClaim:
size: {size}
tes-consec-tvdl:
persistentVolumeClaim:
size: {size}Specify PVC Storage Class (Optional)
You can use the following option to specify the PVC storage class.
tes:
blades:
securitycenter:
persistentVolumeClaim:
storageClassName: {storage class}
container-security:
tes-consec-scan:
persistentVolumeClaim:
storageClassName: {storage class}
tes-consec-tvdl:
persistentVolumeClaim:
storageClassName: {storage class}Specify Registry for PostgreSQL DB Image (Optional)
You can use the following option to specify the PostgreSQL DB image registry.
tes:
blades:
securitycenter:
db:
initJob:
image:
registry: {registry}
container-security:
db:
initJob:
image:
registry: {registry}